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Encodings or the proof of their absence are the main way to compare process calculi. To analyse 
the quality of encodings and to rule out trivial or meaningless encodings, they are augmented with 
quality criteria. There exists a bunch of different criteria and different variants of criteria in order 
to reason in different settings. This leads to incomparable results. Moreover it is not always clear 
whether the criteria used to obtain a result in a particular setting do indeed fit to this setting. We show 
how to formally reason about and compare encodability criteria by mapping them on requirements 
on a relation between source and target terms that is induced by the encoding function. In particular 
we analyse the common criteria/M// abstraction, operational correspondence, divergence reflection, 
success sensitiveness, and respect of barbs', e.g. we analyse the exact nature of the simulation relation 
(coupled simulation versus bisimulation) that is induced by different variants of operational corre¬ 
spondence. This way we reduce the problem of analysing or comparing encodability criteria to the 
better understood problem of comparing relations on processes. 


1 Introduction 

Encodings are used to compare process calculi and to reason about their expressive power. Encodability 
criteria are conditions that limit the existence of encodings. Their main purpose is to rule out trivial 
or meaningless encodings, but they can also be used to limit attention to encodings that are of special 
interest in a particular domain or for a particular purpose. These quality criteria are the main tool in 
separation results, saying that one calculus is not expressible in another one; here one has to show that 
no encoding meeting these criteria exists. To obtain stronger separation results, care has to be taken in 
selecting quality criteria that are not too restrictive. Eor encodability results, saying that one calculus is 
expressible in another one, all one needs is an encoding, together with criteria testifying for the quality 
of the encoding. Here it is important that the criteria are not too weak. 

In the literature various different criteria and different variants of the same criteria are employed 
to achieve separation and encodability results llH |T3l [JS] [iTl [181 0 111 HU IH [H |24l Q. Some criteria, 
like full abstraction or operational correspondence, are used frequently. Other criteria are used to en¬ 
force a property of encodings that might only be necessary within a certain domain. Eor instance, the 
homomorphic translation of the parallel operator—in general a rather strict criterion—was used in ITTI 
to show the absence of an encoding from the synchronous into the asynchronous Ti-calculus, because 
this requirement forbids for the introduction of global coordinators. Thus this criterion is useful when 
reasoning about the concurrent behaviour of processes, although it is in general too strict to reason about 
their interleaving behaviour. Unfortunately it is not always obvious or clear whether the criteria used 
to obtain a result in a particular setting do indeed fit to this setting. Indeed, as discussed in ll2^ . the 

* Supported by funding of the Excellence Initiative by the German Eederal and State Governments (Institutional Strategy, 
measure ‘support the best’). 

^ NICTA is funded by the Australian Government through the Department of Communications and the Australian Research 
Council through the ICT Centre of Excellence Program. 

S. Crafa and D. Gebler (Eds.): Combined Workshop on Expressiveness in © K. Peters & R. J. van Glabbeek 

Concurrency and Structural Operational Semantics (EXPRESS/SOS 2015) This work is licensed under the 

EPTCS 190, 2015, pp. 46-[^ doi: 10.4204/EPTCS.190.4 Creative Commons Attribution License. 




K. Peters & R. J. van Glabbeek 


47 


homomorphic translation of the parallel operator forbids more than global coordinators, i.e., is too strict 
even in a concurrent setting. 

The different purposes of encodability criteria lead to very different kinds of conditions that are 
usually hard to analyse and compare directly. In fact even widely used criteria—as full abstraction— 
seem not to be fully understood by the community, as the need for articles as ||9l|23 shows. In contrast 
to that, relations on processes—such as simulations and bisimulations—are a very well studied and 
understood topic (see for example 0). Moreover it is natural to describe the behaviour of terms, or 
compare them, modulo some equivalence relation. Also many encodability criteria, like operational 
correspondence, are obviously designed with a particular kind of relation between processes in mind. 
Therefore, in order to be able to formally reason about encodability criteria, to completely capture and 
describe their semantic effect, and to analyse side conditions of combinations of criteria, we map them 
on conditions on relations between source and target terms. 

We consider the disjoint union of the terms or processes from the source and target lan¬ 

guages of an encoding. Then we describe the effect an encodability criterion C has on the class of 
permitted encoding functions in terms of a relation ^|.j that relates at least all source terms to their 
literal translations, i.e., contains the pair (5, [Sj) for all source terms S. If the encodability criterion 
C is defined w.r.t. some additional relations on the source or target languages, as it is the case for full 
abstraction and operational correspondence, we usually also include these relations in In order to 
completely capture the effect of a criterion C we aim at iff-results of the form 


[•J satisfies C iff fhere exisfs a relation ^|.j such thaf VS. {S, M) and P(%]), 

where P is fhe condition fhaf capfures fhe effecf of C. For example, an encoding reflecfs divergence iff 
there exists a relation such that VS. (S, [Sj) G ^|.] and ^|.] reflects divergence. 

We illustrate this approach by applying it to some very common criteria. We start with divergence 
reflection in §3.1[ because it is simple and well understood. Accordingly, we do not gain significant 
new insights, but it suits us very well to introduce our approach. In the same way success sensitiveness 
and respect of barbs are analysed. We then switch to the criteria full abstraction in §3.2| and operational 
correspondence in p.3[ which are possibly not completely understood yet. In particular, we show a 
connection between full abstraction and transitivity, and prove to which kinds of simulation relations 
common variants of operational correspondence are linked. In ^ we analyse the effects of combining 
the above criteria. Since we first map the criteria to conditions on relations between source and target 
terms, analysing their combined effect requires us to identify a suitable witness relation for the combined 
conditions. Combining divergence reflection and success sensitiveness is simple, as illustrated in §4.1| 
Combining these two criteria with operational correspondence (§4.2[) is more elaborate. Finally we 


analyse the effect of combining full abstraction with operational correspondence in ^.3 


All claims in this paper have been proved using the interactive theorem prover Isabelle/HOL ifTtill . 
The Isabelle implementation of the theories is available in the ‘Archive of Formal Proofs’ at 


http://afp.sourceforge.net/entries/Encodability_Process_Calculi.shtml 


2 Technical Preliminaries 

We analyse criteria used to reason about the quality of encodings between process calculi. We do not 
force any limitations on the considered calculi. A process calculus is a language .ifc = — >c) 

consisting of a set of terms —its syntax —and a relation on terms i— >c ^ x —its semantics. 
The elements of are called process terms or shortly processes or terms. 
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Here we assume that the semantics of the language is provided as a so-called reduction semantics, 
because in the context of encodings the treatment of reductions is simpler—the consideration of la¬ 
belled semantics and of criteria using labelled steps is left for further work. A step P i —>c P' is an 
element (P,P') G '— >c- Let l=>c denote the reflexive and transitive closure of i— >c- We write P i —>c 
if 3P'. P I —>c P' and P I— >c^ if P can do an infinite sequence of steps. A term P such that P i— is 
called divergent. 

Languages can be augmented with (a set of) relations ^ processes. If ^ C is 

a relation and B' C B, then J^\b' = {{x,y) \x,y ^B' f\{x,y) G denotes the restriction of M to the 
domain B' . A relation Pi preserves some condition P : B —)■ B (with B representing the Booleans) if 
whenever {P, Q) £ Pi and P satisfies P then Q satisfies P. A relation Pi reflects P if whenever {P, Q) £ Pi 
and Q satisfies P then also P satisfies P. Finally Pi respects a condition P if preserves and reflects it. 
We use r(-), s(-), and t(-) to denote the reflexive, symmetric, and transitive closure of a binary relation, 
respectively. 

Relations on process terms are an important tool to reason about processes and languages. Of special 
interest are simulation relations; in particular bisimulations. is a bisimulation if any two related pro¬ 
cesses mutually simulate their respective sequences of steps, such that the derivatives are again related. 

Definition 2.1 (Bisimulation) Pi is a (weak reduction) bisimulation if for each {P, Q) £ Pi: 

, P^P' implies 32'. 2 ^ 2' A (P', Q') £ M 

• Q P=> Q' implies 3P'. P \=^ P' A (P', Q') £ Pi 
Two terms are bisimilar if there exists a bisimulation that relates them. 

The definition of a strong (reduction) bisimulation is obtained by replacing all l=^ by i—in the above 
definition, i.e., a strong bisimulation requires that a step has to be simulated by a single step. Coupled 
similarity is strictly weaker than bisimilarity. As pointed out in GTl . in contrast to bisimilarity it allows 
for intermediate states in simulations: states that cannot be identified with states of the simulated term. 
Each symmetric coupled simulation is a bisimulation. 

Definition 2.2 (Coupled Simulation) A relation Pi is a (weak reduction) coupled simulation if both 
(32'. 2 ^ 2' A (P', 2') G Pi) and (32'. 2 ^ 2' A (2',P') G whenever (P, Q)£PiandP^ P'. 
Two terms are coupled similar if they are related by a coupled simulation in both directions. 

An encoding from P£% = — >s) into PAj = (.^t,'—^t) relates two process calculi. We call 

Pis the source and Pij the target language. Accordingly, terms of P^s are source terms and of 
target terms. In the simplest case an encoding from .^s into .ifj is an encoding function [[.J : P^s 
from source terms into target terms. Sometimes an encoding is defined by several functions, such as the 
encoding function and the renaming policy used in the framework of [8^ Else we identify an encoding 
with its encoding function. 

An encodabUity criterion is a predicate on encoding functions, used to reason about the quality of 
encodings. We analyse such criteria by mapping them on requirements on relations Pi^.^ C [P^s W 
on the disjoint union of the source and target terms of the considered encodings [[.]]. To simplify the 
presentation we assume henceforth that P^s H P^v = 0 and thus P^s W = =^8 U The Isabelle 
proofs do not rely on such an assumption. We say that a condition P : {l^s W PP-i) —>• B is preserved 
by an encoding if for all source terms S that satisfy P, the condition P also holds for [S]]. A condition 
is reflected by an encoding if whenever [S]] satisfies it, then so does S. Einally an encoding respects a 
condition if it both preserves and reflects it. 
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3 Analysing Encodability Criteria 

An encoding function [[•]] : maps source terms on target terms. Thereby it induces a relation on 

the combined domain of source and target terms that relates source terms with their literal translations. 
We start with this relation, i.e., in the simplest case we map an encodability criterion to a requirement on 
a relation C that contains at least the pairs (S, [Sj) for all source terms S G If we 

consider a criterion that is defined w.r.t. some relations on the source or target, we will also include these 
relations in .^|.j, possibly closing the latter under reflexivity, symmetry, and/or transitivity. 

Alternatively, we could require that ,^|.j relates source terms and their literal translations in both 
directions, meaning that (5, [Sj) G ^|.] and ([[S]] ,S) G ^|.] for all source terms S G However, 
this condition limits our analysis to properties that are respected. It does not allow us to reason about 
properties like divergence reflection, where some condition need only to be reflected but not necessarily 
be preserved, or vice versa. Accordingly we follow the first approach. 

3.1 Divergence Reflection and Observables 

We start with divergence reflection as defined in ||8l, because it is often easy to establish and well under¬ 
stood. An encoding reflects divergence if it does not introduce divergence, i.e., if all divergent translations 
result from divergent source terms. 

Definition 3.1 (Divergence Reflection) An encoding [•]] : reflects divergence if [S']] i—)- t® 

implies S i — >s“ far all source terms S G ^s- 

We can reformulate this criterion as follows: An encoding reflects divergence if it reflects the pred¬ 
icate XP. P I— fa. To analyse this criterion it suffices to consider the relation { {S, [[^J) | 5 G }■ It is 
obvious that an encoding reflects divergence iff {(5, [Sj) | S G ^s} reflects divergence, i.e., reflects 
the predicate XP. P i— fa. In fact we can generalise this case. If an encodability criterion can be 
described by the preservation or reflection of a predicate, then an encoding satisfies this criterion iff 
{ {S, [[^J) I 5 G } preserves or reflects this predicate. Of course direction “if” holds for any relation 
that contains at least the pairs {S, [S']]). We use the relation { {S, [S']]) | 5 G } as a witness and it allows 
us to analyse the combination of different criteria later. 

Lemma 3.2 (Preservation) Let P : {jfas W =^t) —)• B a predicate. An encoding preserves the predi¬ 

cate P iff3Af^.^. (ys. (S, [Sj) G l\^\\ preserves P. 

We obtain a similar result if we replace the unary predicate P(-) by the binary predicate P(-,-) of type 
{^s W ifaj) X B for some arbitrary type to represent predicates with several parameters. More¬ 
over we obtain the same result for either reflection or respect instead of preservation. 

Accordingly an encoding reflects divergence, i.e., the predicate XP. P i— fa, iff there exists a relation 
that relates at least each source term to its literal translation and reflects this predicate. 

Lemma 3.3 (Divergence Reflection) An encoding [[•]] : Ifajfrom fa's into faj reflects divergence 

#3%]. (V5. (5,M)G%])A reflects divergence. 

In a similar way we can deal with the criterion barb sensitiveness. A barb is a property of a process 
that is treated as an observable, and whose reachability should be respected by an encoding. We assume 
that is a set of barbs that contains at least all barbs of the source and the target language. Moreover we 
assume that each language fa specifies its own predicate • such that P^jea returns true if P G 
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and P has the barb a in . If a barb a is not relevant or present in a language ^ then does not hold 

for any P £ We use P\\-^a if P reaches the barb a in i.e., P-lj-if a = 3P'.P P' f\P'a. 

An encoding weakly respects source term barbs iff it respects the predicate XP a. P\\. a. This holds 
iff { (S, [S']]) I S G } respects this predicate, which in turn is the case iff there exists a relation 
that relates at least each source term to its literal translation and respects this predicate. 

Lemma 3.4 (Barb Sensitiveness) Assume .ifs and each define a predicate • • : =^3^ x B. 

[[•J : —)• weakly respects barbs . (fi/S. {S, [Sj) G A weakly respects barbs. 

Again we obtain a similar result if we replace respect by preservation or reflection or if we consider the 
existence instead of the reachability of barbs. 

However, only very few encodings directly preserve or reflect barbs. More often barbs are translated, 
as for example in the encodings between different variants of the Ti-calculus in ifTSl |23l or the two 
translations from CSP into variants of CCS with name passing in IITOll . Since we do not fix the definition 
of -iif •, this can for instance be expressed by adapting this predicate in the target language. 

In a similar way we can deal with the criterion success sensitiveness. This criterion was proposed 
by Gorla as part of his encodability framework ||8l. An encoding is success sensitive if it respects reach¬ 
ability of a particular process / that represents successful termination, or some other form of success, 
and is added to the syntax of the source as well as the target language. We write to denote the fact 
that P is successful—however this predicate might be defined in the particular source or target language. 
Reachability of success is then defined as RJJ-/ = 3P'. P l=^ P' AP'J,/. An encoding is success sensitive 
if each source term and its translation answer the test for reachability of success in the same way. 

Definition 3.5 (Success Sensitiveness) Let <^nd each define a predicate -J,/: B. An encod¬ 
ing [[•]] : -£■ is success sensitive if, for all S G 5'J|/ iff [S']] (J-/. 

Accordingly, an encoding is success sensitive iff it respects the predicate XP. PJJ-/. This is the case iff 
{ (5, [Sj) I 5 G } respects this predicate, which in turn is the case iff there exists a relation .^|.j that 
relates at least each source term to its literal translation and respects this predicate. 

Lemma 3.6 (Success Sensitiveness) Assume and Afir each define a predicate • B. An 

encoding [[•]] : success sensitive iff3l%^.-^. (VS. (S, [S']]) G A.^|.] respects XP. PJJ-/. 

Success sensitiveness links source term behaviours to behaviours of target terms. If the source and 
the target language are very different, they can impose quite different kinds of behaviour that might be 
hard to compare directly. For example, observables in the TT-calculus refer to the existence of unguarded 
input or output prefixes lITTIl . whereas in the core of mobile ambients there are no in- or outputs but only 
ambients and action prefixes that describe the entering, leaving, and opening of an ambient 01. Success 
sensitiveness allows to compare such languages by introducing a new kind of barb that can be understood 
in both calculi. If we want to compare two languages that are very similar, such as two variants of the 
same calculus, we can demand stricter encodability criteria and compare their barbs directly. 

Next we concentrate on criteria that cannot be expressed simply by the preservation or reflection of 
some predicate. 

3.2 Full Abstraction 

Full abstraction was probably the first criterion that was widely used to reason about the quality of 
encodings ||2^[T^|22]| . This criterion is defined w.r.t. a relation on source terms and a relation 

■^T G on target terms. An encoding is fully abstract w.r.t. and if two source terms are related 
by iff their literal translations are related by 
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Definition 3.7 (Full Abstraction) An encoding [[•]] : 13^^ —)• is fully abstract w.r.t. the relations 3?^ C 

^3 and C if, for all 81 , 82 ^ ^s. (>51,52) G ffs #(ll5i]], [[ 52 ]]) G ^t- 

There are a number of trivial full abstraction results, i.e., results that hold for all (or nearly all) encodings 
(see e.g. 101201 ). In particular, for each encoding and each target term relation Mt; C 3^^ there exits a 
source term relation Ms C namely { (5i,S2) | ([[5i]], [52]]) G such that the encoding is fully 
abstract w.r.t. Ms and M'l. For each injective encoding and each source term relation Ms C there 
exits Mt C namely { ([[5i]], [52]]) | (51,52) G Ms }, such that the encoding is fully abstract w.r.t. Ms 
and M-\. Accordingly we consider full abstraction w.r.t. fixed source and target term relations. 

As suggested above, we map this criterion on a relation that relates at least each source term to its 
literal translation and includes the relations Ms and M'l. If we additionally add pairs of the form ([Sj ,S) 
for all 8 G Ms, we make an interesting observation. If we surround the pair (5i,52) G Ms by the pairs 
([5i]| ,5i) and (S 2 , [52]]) and add transitivity we obtain the pair ([5i]|, [52]]). Similarly, from transitivity, 
(Si, [5i]|), ([SiJ, [ 52 ]]), and ([ 52 ]] , 52 ) we obtain the pair (Si,S 2 ). Because of this, an encoding is fully 
abstract w.r.t. the preorders Ms and M'l iff there exists a transitive relation My^ that relates at least each 
source term to its literal translation in both directions, such that the restriction of M^^ to source/target 
terms is MsIMi- 

Lemma 3.8 (Full Abstraction) [-J : Ms Mt is fully abstract w.r.t. the preorders Ms C M^ and Mj C 
MjiffBM^.j. (VS. {8,l8j),{l8j,8) eM^.j) AMs=Mi.j\ff>^AMT = Mi-j f A Mi^.j is transitive. 

Thus an encoding is fully abstract w.r.t. Ms and Mj if the encoding function combines the relations Ms 
and Mj in a transitive way. 

In order to allow combinations with criteria like divergence reflection, i.e., predicates that are not 
respected but preserved or reflected, we get rid of the requirement on the pairs ([Sj ,S). Therefore we 
consider the symmetric closure of ^[.j. An encoding is fully abstract w.r.t. the equivalences Ms and Mj 
iff there exists a relation M^^.j that relates at least each source term to its literal translation, such that the 
restriction of the symmetric closure of Mjj^.j to source/target terms is MsIMj and the symmetric closure 
of M^.j is a preorder. 

Lemma 3.9 (Full Abstraction) An encoding [-J : Ms —>• Mi is fully abstract w.r.t. the equivalences 
■^s ^ Ml and Mi C M^. iff 3M\^.t^. (VS. (S, [Sj) sMj^j') AMs = s(^|.]) A Mi = s{M^^') 
s (^[.j) is a preorder. 

Since it is always possible to construct a relation that includes Ms, Mj, and pairs (S, [Sj), the crucial 
requirement on the right-hand side is transitivity. A discussion of this criterion and references to earlier 
such discussions can be found in l[22l l9l. 

3.3 Operational Correspondence 

To strengthen full abstraction it is often combined with operational correspondence. This criterion re¬ 
quires that source terms and their translations ‘behave’ similar, by requiring that steps are preserved and 
reflected modulo some target term relation Mj C M^. Intuitively an encoding is operational correspond¬ 
ing w.r.t. Ml if each source term step is simulated by its translation, i.e., [-J does not remove source 
behaviour {completeness), and each step of the target is part of the simulation of a source term step, 
i.e., [-J does not introduce new behaviour {soundness). There are a number of different variants of this 
criterion. We consider three unlabelled variants |[T5l 1^. In particular the last variant, proposed in [8], 
was used for numerous encodability and separation results. 
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Definition 3.10 (Operational Correspondence) An encoding [[•]] : —)■ is strongly operationally 

corresponding w.r.t. C if it is: 

Strongly Complete: \fS,S'. S i—)-s S' implies {3T. [Sj i —)-t T A ([[S']] ,T) G ^t) 

Strongly Sound: VS, T. [Sj i —)-t T implies (3S'. S i —>$ S' A ([S']] ,T) £ ^t) 

[•]] : ^ E operationally corresponding w.r.t. if it is: 

Complete: MS,S'. S^^S' implies {3T. [S]] A ([S']], T) £ ^x) 

Sound: MS, T. [S]] ^x^ implies (3S'. S^sS' A ([S']], T) £ Mfj) 

[•J : -£■ is weakly operationally corresponding w.r.t. C if it is: 

Complete: MS,S'. S^^S' implies {3T. [S]] ^x^ A ([S']], T) £ ^-y) 

Weakly Sound: MS, T. [S]] ^x^ implies {3S', T'. S^sS' A T^'yT' A ([S']], T') £ fgj) 

Again this criterion is trivial if we do not fix the target term relation. Each encoding is operational 
corresponding w.r.t. the universal relation on target terms. 

The formulation of operational correspondence (in all its variants) strongly reminds us of simulation 
relations on processes, such as bisimilarity. Obviously this criterion is designed in order to establish 
a simulation-like relation between source and target terms. We now determine the exact nature of this 
relation. The first two variants exactly describe strong and weak bisimilarity up to More precisely, 
an encoding is operational corresponding w.r.t. a preorder that is a bisimulation iff there exists a 
preorder ^[.j, such as t(r({ (S, [5]]) | S £ } U^x))> that is a bisimulation, relates at least all source 

terms to their literal translations, and such that M'y = and for all pairs (S, T) £ it holds that 

([5]], r) £ ff'Y. The last condition is necessary to ensure operational correspondence, and M-y = 
ensures that Sf-Y is a bisimulation if is. Accordingly, operational correspondence ensures that source 
terms and their translations are bisimilar. 

Lemma 3.11 (Operational Correspondence) An encoding [•]] : liPs —^ <^t i^ operational correspond¬ 
ing w.r.t. a preorder C that is a bisimulation ijf (V^. {S, [5]]) G A.^x = 

A {MS, T. {S, T) £ .^|.j —)• ([Sj, T) £ Mfj) A.^|.] is a preorder and a bisimulation. 

We obtain the same result if we replace operational correspondence by strong operational correspondence 
and bisimulation by strong bisimulation. 

Weak and strong bisimilarity are often considered as the standard reference relations for calculi like 
the TT-calculus. Thus the above result imposes an important property for the comparison of languages. 
If bisimilarity is the standard reference relation, i.e., if we usually do not record differences between 
terms that cannot be observed by bisimilarity, then an encoding that ensures that source terms and their 
translations are bisimilar strongly validates the claim that the target language is at least as expressive as 
the source language. Nonetheless, comparisons of different languages are very often considered only 
modulo weak operational correspondence and not operational correspondence. As discussed in ETlfTOll . 
relating source terms and their literal translations by a bisimulation does not allow for intermediate states, 
i.e., states that occur in simulations of source term steps and thus intuitively are in between two source 
term translations but are not related to source terms themselves. Intermediate states result from partial 
commitments. If a source term can evolve to one of three different derivatives, operational correspon¬ 
dence (in all variants) ensures that the translation has the same possible evolutions. But operational 
correspondence requires that the decision on which of the three possibilities is chosen is done in a single 
step. Weak operational correspondence allows for partial commitments, where a first step may rule out 
one possibility but not decide on one of the remaining two. Thus weak operational correspondence is 
much more flexible and allows to encode source term concepts that have no direct counterpart in the 
target. 
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Obtaining a result similar to Lemma 3.11 for weak operational correspondence is not that easy. Again 
this criterion is linked to a simulation condition on relations between source and target terms up to 
but weak operational correspondence does not directly map to a well-known kind of simulation relation. 
It is linked to a simulation relation that is in between coupled similarity and bisimilarity. We call it 
correspondence similarity. 


Definition 3.12 (Correspondence Simulation) A relation M is a (weak reduction) correspondence sim¬ 
ulation if for each {P, Q) € M: 

• p |=^> p' implies BQ'. Q g' A (P', Q') G 
» Q^Q' implies BP”, Q”.P^ P” AQ'^ Q” A (P", Q”) e ^ 

Two terms are correspondence similar if a correspondence simulation relates them. 


Just as coupled similarity, correspondence similarity allows for intermediate states that result from partial 
commitments, but in contrast to coupled similarity these intermediate states are not necessarily covered 
in the relation. Correspondence similarity is obviously strictly weaker than bisimilarity, but it implies 
coupled similarity. 

Lemma 3.13 For each correspondence simulation M there exists a coupled simulation M' such that 

v(p,e)G.^. (p,G),(e,p)G^'. 


Correspondence simulation is linked to weak operational correspondence in the same way as bisim¬ 
ilarity is linked to operational correspondence. 


Lemma 3.14 (Weak Operational Correspondence) [•]] : ^ weakly operat. corresp. w.r.t. a 

preorder C that is a correspondence simulation iffB^^.j. (ys. {S, [S']]) G .^|.j) A = .^|.j |" 

A (vs, P. (S, P) G —)• ([Sj, P) G Sff) A.^|.] is a preorder and a correspondence simulation. 


Accordingly, weak operational correspondence ensures that source terms and their literal translations are 
correspondence similar and thus coupled similar. 

Correspondence similarity and coupled similarity are weaker than bisimilarity. Nevertheless, prov¬ 
ing that a relation is a correspondence simulation and, even more, showing that a particular pair of terms 
is contained in a correspondence simulation, can be more difficult than it is in the case of hi si mill a - 
tion. Fortunately, encodings that satisfy only weak operational correspondence—and introduce partial 
commitments—often do so w.r.t. a variant of bisimilarity. As example consider the de-centralised encod¬ 
ing of ifTOl . It translates from CSP into asynchronous CCS with name passing and matching. ifTOll proves 
that this encoding is operational corresponding w.r.t. a target term preorder that is a weak reduction 
bisimulation. Thus, by Lemma 3.14[ the encoding ensures that source terms and their literal translations 
are correspondence similar, and thus coupled similar. 


4 Combining Encodability Criteria 

As done in ||8l, often several different criteria are combined to ensure the quality of an encoding. Of 
course we have to ensure that the criteria we want to combine do not contradict each other and thus 
trivially rule out any kind of encoding. Moreover, the combination of criteria might lead to unexpected 
side effects, such that their combined effect on the quality of encodings is no longer obvious or clear. 
One major motivation of our desire to analyse encodability criteria is to be able to formally compare 
them and analyse side effects that result from their combinations. 

In the previous section we derive iff-results linking a single criterion with the existence of a relation 
between source and target terms satisfying specific condifions. Of course we can frivially combine fwo 
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such results by considering two different source-target relations on the right-hand side. But this way 
side effects that results from the combination of the criteria remain hidden. Instead we want to combine 
the criteria into conditions of a single source-target relation. Therefore we need to find a witness, i.e., a 
relation that satisfies fhe conditions of bofh relafions. 


4.1 Divergence Reflection and Success Sensitiveness 

The combinations of criferia defined on fhe pairs of .^|.j—such as fhe preservafion, refiecfion, or respecf 
of some predicafe—are easy fo analyse. Obviously an encoding reflecls divergence and respecfs success 
iff fhere exisfs a relafion .^|.j fhaf relafes af leasf each source term fo ifs liferal franslafion and bofh reflecls 
divergence and respecfs success. 


Lemma 4.1 Assume .ifs and Jfr each define a predicate],^: B. [[•]] : ^ reflects divergence 

and respects success . (fiS. {S, [S']]) G reflects divergence and respects success. 


The <^-direclion of Lemma [4~T] is an immediafe corollary of Lemmas 3.3 and |3.6| For fhe ofher direction 
we oblain from Ihese lemmala Iwo relafions lhal salisfy fhe condifion C = \/S. {S, [Sj) G and of 
which one reflecls divergence and fhe ofher respecfs success. We have fo combine Ihese Iwo relafions 
info a single relation lhal safisfies all Ihree condifions. If fhe latter Iwo condifions are defined on fhe pairs 
of fhe respecfive relafions, fhis is always possible. The reason is lhal fhe condifion C ensures lhal we can 
use { (S, [[‘S']]) I S G } as a wilness for bofh relafions and Ihus as a wifness for Iheir combined effecl. 
More precisely, if fhere are Iwo relafions lhal bofh salisfy C and each safisfies a predicale aboul fhe pairs 
of fhe respective relafion, Ihen fhere exisfs a single relafion, namely { (S, [S']]) | 5 G }> thal safisfies all 
Ihree condifions. 


Lemma 4.2 Let and the predicates P 1 , P 2 fic such that V/ G { 1,2 }. MS. {S, [S']]) G 

and Mi ^ { 1,2 } . V (F, 2) G P;((F, Q)). Then there exists a relation .^|.j C 1+) such that 
MS. {S, M) G ^.1 andMie{l,2}.M (P, Q) G %]. Pi{{P, Q)). 


4.2 Adding Operational Correspondence 

Gorla |'8] combines five criteria fo define ‘good’ encodings. Three of ihese—fhe ‘semanlicaT ones—we 
considered in Seclionj^ weak operational correspondence (called ‘operational correspondence’ in O) 
w.r.l. a relafion success sensifiveness, and divergence refiecfion. Gorla assumes lhal, ‘for fhe sake of 
coherence’ as he claims, fhe relafion Mt; never relafes Iwo process Tp and Tq such lhal Tpfl/ and Tq 
i.e., Ml has fo respecf (reachabilily of) success. This allows us fo find a wilness relafion fo combine fhe 
effecl of weak operalional correspondence and success sensifiveness. Our iff-resull for weak operational 
correspondence requires lhal fhis relafion is a preorder, has fo relale source lerms wilh Iheir liferal Iransla- 
lions, and satisfies M'l = .^|.j f Because of lhal, a minimal wifness is l(r({ {S, [S']]) | 5 G Ms juMj)). 
This wifness also satisfies MS,T- (‘S,T) M Mj^.i —)■ ([Sj ,T) M Mj. Wilhouf fhe condition lhal Mj re¬ 
spects success—or anofher suilable assumption—we cannol ensure lhal f(r({ (S, [S']]) | S G Ms } UMt)) 
respecfs success and Ihus we find no wilness for fhe combinalion of fhe respecfive condifions. 

Lemma 4.3 Assume M's , My each define a predicate],^: M —)-M. An encoding [[•]] : Ms —)• Mj is success 
sensitive and weakly operational corresponding w.r.t. a preorder M-y G M^ that is a success respecting 
correspondence simulation iff 3^|.j. (MS. (S, [S']]) G ) A Mj = A respects success A 

iffSff. (Sff) G ■^[■1 (M ) ^ -^t) a is a preorder and a correspondence simulation. 
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d I-> S2 





-^T = ({ fl, ^2,^3 },{(?!, fa), (^ 3 ,^ 3 )}) 
= t(r({(f2,f3)})) 

Isij = t\ and ls 2 j = f 2 


Figure 1: Encoding satisfying operational correspondence and divergence reflection 


We obtain a similar result if we replace weak operational correspondence and correspondence simulation 
by operational correspondence and bisimulation. Similarly, we can replace weak operational correspon¬ 
dence, correspondence simulation, and the predicate JJ-/ in the definition of success sensitiveness by 
strong operational correspondence, strong bisimulation, and|/. Also, in all variants of the above result 
we can add on the left-hand side that the encoding as well as (weakly) respect barbs iff we add on 
the right-hand side that (weakly) respects barbs. 

As an example we can consider—once more—the de-centralised encoding from CSP into a variant 
of CCS of ifTOl . Additionally to operational correspondence w.r.t. a preorder that is a bisimulation, 
lUOll proves that this encoding satisfies success sensitiveness, divergence reflection, barb sensitiveness— 
w.r.t. standard CSP barbs in the source and a notion of translated barbs in the target—and preservation 
of distributability (a criterion defined in |[25]l l. respects success and weakly respects barbs (but 
does not reflect divergence). Thus the encoding ensures that source terms and their literal translations 
are correspondence similar and thus coupled similar w.r.t. a relation that respects success and weakly 
respects barbs. 

Success sensitiveness significantly strengthens the requirements on a simulation relation like corre¬ 
spondence simulation or bisimulation. Thus the combined effect—a success respecting correspondence 
simulation—is stronger than the effects of both criteria considered in isolation—a correspondence simu¬ 
lation and a success respecting relation. Accordingly, the framework of Gorla in |'8 ] ensures that (among 
other conditions) source terms and their literal translations are correspondence similar w.r.t. a success re¬ 
specting relation and thus—to refer to a more established simulation relation—are coupled similar w.r.t. 
a success respecting relation. 

In im there is no such condition that links and divergence reflection. Requiring that reflects 
divergence would e.g. exclude weak bisimulation. Since this relation is often referred to as the standard 
relation for calculi as the Ti-calculus, excluding it would be too strict a requirement. As a consequence, 
the criteria in ||8l do not allow to combine the effects of weak operational correspondence and divergence 
reflection into a single relation, as done for success sensitiveness. Consider the following counterexam¬ 
ple, visualised in Figure [T] Obviously the encoding—indicated by the dotted line—satisfies operational 
correspondence w.r.t. —indicated by the dashed line—and reflects divergence. But to relate and 
its literal translation by a correspondence simulation, we have to simulate the step 5'i 1 —)-s ^ 2 - 

Therefore we need either the pair ( 52 ,^ 3 )—which can be obtained by including in .^|.j—or the pair 
( 52 , ti), but in either case the respective source-target relation does not reflect divergence. Thus in gen¬ 
eral an encoding that satisfies the criteria of f8] induces a source-target relation that is a correspondence 
simulation that only partially reflects divergence. 

Of course particular encodings might satisfy stronger requirements than enforced by the minimal 
setting in [Si]. If the encoding is operational corresponding w.r.t. a relation that reflects divergence, 
we can combine the effects of these two criteria in one relation. Accordingly, if an encoding reflects 
divergence, respects success, and satisfies operational correspondence w.r.t. a preorder that is a success 
respecting and divergence reflecting bisimulation, we can combine the conditions of all three relations 
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as in the following lemma. 

Lemma 4.4 Assume and each define a predicate J,/: B. An encoding [[•]] : —)• 

refiects divergence, respects success, and is operational corresponding w.r.t. a preorder M'j C that 
is a success respecting and divergence reflecting bisimulation (ys. (5, [Sj) € l\Mv = 

%]r^,A(V5,r. (5,r)E ^ ^t) a reflects divergence, respects success, and is a 

preorder and a bisimulation. 

Again we obtain similar results for weak operational correspondence and correspondence simulation as 
well as for strong operational correspondence, strong bisimulation, and|/. 

4.3 Full Abstraction and Operational Correspondence 

Before the framework in l|3 was proposed, often a combination of full abstraction and operational cor¬ 
respondence was used. For simplicity we switch to source-target relations that relate source terms and 
their literal translations in both directions and assume that Ms and Mv are equivalences in the following. 
Then a witness for the effect of operational correspondence is t(r({ (S, [Sj), ([Sj ,S) | 5 E Ms juMj))- 
Since this relation is transitive, it indeed suffices as witness to combine the effects of full abstraction 
and operational correspondence. The only obstacle left is that, to cover the effect of full abstraction, the 
source-target relation should also include Ms- Fortunately we do not have to include Ms by construction, 
because its inclusion is ensured by full abstraction and the inclusion of Mj. For every encoding [[•]] that 
is fully abstract w.r.t. Ms and Mj and for all transitive relations My^ that relate at least all source terms to 
their literal translations in both directions, M^^ contains Ms iff the restriction of M^r^ to encoded source 
terms contains the restriction of M-\ to encoded sources. 

Lemma 4.5 Let [•]] : Ms —)• Mv be an encoding that is fully abstract w.r.t. Ms C M\ and Mj C Mj 
and let M^.-^ C [Ms W Mv)^ be transitive such that VS. (S, [Sj), ([S]] ,S) E M^.y Then Ms = My^ \iff 
VSi,S 2 . ([Sil, [S 2 I) E ^ (ISil, [S 2 I) E %]. 

Because of that an encoding is fully abstract w.r.t. Ms and M'l and operational corresponding w.r.t. 
a bisimulation M-x iff there exists a transitive bisimulation that relates source terms and their literal 
translations in both directions and contains Ms and M'l. 

Lemma 4.6 Let Ms C M\ and Mj C Mj be equivalences. An encoding [•]] : Ms —)• Mj is fully ab¬ 
stract w.r.t. Ms and Mi and operational corresponding w.r.t. Mi and Mi is a bisimulation iff3Mj^.j. 
(VS. (S,[S1),([S1,S)E%]) A^s = M^.j \ A Ml = Mj^.i f A ^|.j is a transitive bisimulation. 

So what do we gain by combining the two criteria, that we do not obtain from each of them in 
isolation? In comparison to our iff-result for operational correspondence we add only the condition that 
Ms = ^|.] . As a consequence Ms has to be a bisimulation. 

Full abstraction ensures that Ms and Mi have the same basic properties. For example, if we ei¬ 
ther consider surjective encodings (VT. 3S. T = [Sj) or restrict Mi to encoded source terms ({(ri,r 2 ) | 
3 Si,S2 . T\ = [Si]] AT 2 = [S 2 ]] A {Ti,T 2 ) E Mi}), then Ms is reflexive iff Mi is reflexive, and similarly 
for symmetry and transitivity. But properties such as being a bisimulation are not respected by full ab¬ 
straction on its own. As counterexample consider the fully abstract but not operational corresponding 
encoding in Figure Here Ms is a bisimulation but Mi is not. By removing the arrow t 2 '—)-t (3 from 
the target and adding it to the source S 2 '—>-s ^3, the encoding remains fully abstract and Mi becomes 
a bisimulation but Ms loses this property. Operational correspondence does not refer to a source rela¬ 
tion Ms and thus does not enforce any properties on this relation. But combining full abstraction with 
operational correspondence w.r.t. a bisimulation Mi enforces Ms to be a hi simulation. 
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^S = {{SI,S2,S^} ,%) 

^ -^T = ({fl,f2,?3 } ){ (^ 2 ,^ 3 ) }) 

= t(s(r({ ( 51 , 52 )}))) and^T = t(s(r({(fi,f 2 )}))) 

Isij = h, [[ 52 I = t 2 , and [ 53 I = t3 


Figure 2: Encoding satisfying full abstraction but not operational correspondence 


Lemma 4.7 Let Ms C and C be equivalences. If an encoding [•]] : Ms Mj is fully 
abstract w.r.t. Ms and Mj and operational corresponding w.r.t. Mt: and Mi is a bisimulation then Ms is 
a bisimulation. 

To conclude that Ms is a bisimulation iff Mi is a bisimulation, we have to get rid of pairs in Mi that do 
not result from pairs of encoded source terms and their derivatives, because operational correspondence 
provides no information about such pairs. The simplest way to do so, is to assume a surjective encoding. 
Lemma 4.8 Let Ms C and Mj C Mj be equivalences. If an encoding [[•]] : Ms Mi is surjective 
fVr. 3S. T = Is}), fully abstract w.r.t. Ms and Mi, and operational corresponding w.r.t. Mi then: 

Ms is a bisimulation iff Mi is a bisimulation 


5 Conclusions 

Within this paper we provide a number of results about different encodability criteria. In particular: 

• We analyse divergence reflection, barb sensitiveness, success sensitiveness, full abstraction, and 
operational correspondence as well as several combinations of these criteria. 

• We prove that different variants of operational correspondence correlate with different kinds of 
simulation relations from coupled similarity to strong bisimilarity. 

• We define a new kind of simulation relation—correspondence similarity—that completely covers 
the effect of weak operational correspondence as proposed in [81. 

• We relate the combination of success sensitiveness and operational correspondence w.r.t. a bisimu¬ 
lation with the existence of a success respecting bisimulation between source terms and their literal 
translations. 

• We show that for surjective encodings the combination of full abstraction w.r.t. Ms and Mi and 
operational correspondence w.r.t. Mi implies that Ms is a bisimulation iff Mi is a bisimulation. 

In Q a quality criterion for encodings was proposed that requires the translation [Sj of a source term 
S to be related to S according to a behavioural equivalence or preorder defined on a domain of interpre¬ 
tation (such as labelled transition systems or reduction-based transition systems with barbs) that applies 
to both languages. This behavioural relation has to be chosen with care and should be meaningful for the 
application at hand. Possible choices include strong and weak barbed bisimilarity, barbed weak coupled 
simulation equivalence, or (in between) our new correspondence preorder. Iff-results—as the results 
above—^relate these instances of the criterion discussed in fT] with other encodability criteria. In partic¬ 
ular, by the results of Section]^ if an encoding satisfies the criterion of fTil w.r.t. (weak) bisimilarity, then 
it also satisfies operational correspondence w.r.t. (weak) bisimilarityj^ Moreover, if an encoding satisfies 
the criterion of [71 w.r.t. correspondence similarity, then it also satisfies weak operational correspondence 
w.r.t. coupled similarityj^ 

* And by the results of Section 4 the bisimulation may be required to (weakly) respect barbs at both sides of the implication. 

^We may not conclude that it also satisfies weak operational correspondence w.r.t. correspondence similarity, at least not 
when also weakly respecting barbs. A counterexample can be found in Figure There we have a weakly barb respecting 







58 


Analysing and Comparing Encodability Criteria 


iifs iifs ^ ‘^2 ^ 

■^T = i{h,t2,t3d4,t5da,tc} , 

{ ihds) , {t2,t4) , (hdc) , (tsds) , {hda) , {t4da) , (?5,?c) }) 

^corr sim. = { (5l,fl) , ( 52 ,^ 2 ) , [Slfy) , {SaAa) , (■^cfc) } 

Isij = ti, [[ 52 I = t 2 , [[^aj = ta, and Iscj = C 

Figure 3: Encoding not satisfying weak operational correspondence w.r.t. to a correspondence simulation 
that weakly respects barbs, even though i%cotr. sim. is a weakly barb respecting correspondence simulation 
relating each source term with its encoding 



The above results may leave the impression that we try to replace common encodability criteria by 
conditions on relations between source terms and their translations. That is not the case. But we provide 
alternative ways to prove different criteria. An example of how the above results can be used to reason 
about the quality of an encoding are the two encodings of ifTOll . That paper analyses ways to encode 
the CSP synchronisation mechanism following an approach of iTTl . The latter shows that a central 
encoding of a similar synchronisation mechanism ensures that source terms and their translations behave 
bisimilar, whereas a decentralised encoding only ensures coupled similarity. Proving coupled similarity 
can be more difficult than proving bisimilarity. Here our results allow to decrease the proof burden. With 


Lemma 3.14 we can conclude from weak operational correspondence w.r.t. a bisimulation that source 
terms and their literal translations are coupled similar, without having to deal with coupled similarity 
directly. This way we have to deal with the difficult partial commitments, which are introduced by the 
de-central implementation, only in operational correspondence and not when relating target terms. 

In retrospective, mapping encodability criteria on requirements of a relation between source and tar¬ 
get terms seems quite natural. Indeed the main challenge of the above presented iff-results was not in 
proving them but in finding the exact matches between variants of the considered criteria and require¬ 
ments on the relation. As a consequence we had to define a new kind of simulation relation to capture 
the version of operational correspondence used in |(8l. 

We do not claim that it is always simple to obtain iff-results as presented in this paper or that we 
provide a strategy to obtain such results. Instead we claim that proving such results formally captures the 
effect of a criterion on the quality of an encoding function and thus(l) helps us to understand a criterion, 
(2) allows to identify unexpectedly strict or weak criteria (3) allows to compare (sets of) criteria, and 
(4) allows to analyse the side effects that result from the combination of criteria. Analysing criteria this 
way is not necessarily straightforward. To illustrate this, consider the requirement on the preservation of 
the (degree of) distribution of a process (preservation of distributability). In the context of asynchronous 
distributed systems this requirement is very important. 

Several attempts to capture it were proposed in the literature. At least for the Ti-calculus, the most 


correspondence simulation relating S 2 with 12 and S 2 with t^, but, due to the asymmetric nat ure of correspondence simulations, 
there is no weakly barb respecting correspondence simulation relating t 2 and f 3 nBy Lemma 3.13 the terms t 2 and to, are weakly 

barb respecting coupled similar, however. _ 

^This example does not contradict the weakly barbed variant of Lemma [43] for its right-hand side does not hold. Namely, 
the condition V5. (S, JS]) £ .^|.| forces (ii ,ti) £ .^|.|, and thus, since .®|,| is a correspondence simulation, also {s 2 ,t) £ ^|.| 
for some t £ {tiJ^dsJadc}- As S 2 weakly respects barbs a and c, so must f, yielding t £ The requirement {S,T) £ 

■^11 M ^ ■^T yields {t 2 ,t) £ ^|.|, but there exists no correspondence simulation containing this pair. 
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prominent candidate is the homomorphic translation of the parallel operator ([[P | 2]] = [Pj | [21) as used 
in ini- iia shows that this criterion is too strict by providing an encoding that preserves distributability 
but does not translate the parallel operator homomorphically. Instead this encoding is compositional. 
Compositionality requires that the translation of an operator is the same for all occurrences of that op¬ 
erator in a term, i.e., it can be captured by a context. Compositionality is significantly weaker than the 
homomorphic translation of the parallel operator but also forbids the introduction of global coordinators. 
However, to ensure the preservation of distributability, this criterion is too weak. Il25]l claims to provide 
a suitable criterion for the degree of distributability, but without a formal way to reason about the effect 
of encodability criteria, there is no way to formally prove such a claim. Thus ll25l can only provide 
arguments and illustrations. The inability to formally prove it was one of the original motivations for the 
present work. Unfortunately, analysing the three criteria compositionality, the homomorphic translation 
of the parallel operator, and the preservation of distributability is not an easy task. 

Compositionality obviously implies some kind of congruence property on encoded source term con¬ 
texts, but it is not obvious how to turn this observation into an iff-result. To map the homomorphic 
translation of the parallel operator on conditions on a relation between source and target terms, is even 
more difficult. This criterion clearly implies some strong properties on such a relation, but it is not clear 
which condition implies the homomorphic translation of the parallel operator. Because of that, we can¬ 
not completely capture the effect of this criterion on the quality of an encoding. This explains why this 
criterion was originally accepted as a criterion for the preservation of distributability. It is not easy to 
capture the cases for which it is too strict. The criterion for the preservation of distributability proposed 
in ll25]l can intuitively be understood as a concurrency respecting variant of operational correspondence. 
It not only requires that the source term behaviour is preserved and reflected, but also that the simula¬ 
tions of independent steps are independent. Thus analysing this criterion appears to require some kind of 
simulation relations that not only consider interleaving semantics. We leave the analysis of these criteria 
to further research. 

All claims in this paper have been proved using the interactive theorem prover Isabelle/HOL. For 
this purpose, a rich theory of encodability criteria was implemented. Since we do not force any assump¬ 
tions on process calculi except that they consist of a set of processes, i.e., a type and a reduction 
relation, i.e., a relation of type ^ this theory can be used to formally reason in Isabelle 

about encodings for all kinds of source and target languages. A number of well-known process calculi 
including the Ti-calculus can for instance be represented in the Psi-calculi framework ||T1. Thus there are 
Isabelle implementations of well-known process calculi that can directly be combined with our Isabelle 
implementation to formally reason about encodings between such calculi. 
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